From owner-freebsd-ipfw Sun Dec 3 11:15:34 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 3 11:15:33 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 7B96137B401 for ; Sun, 3 Dec 2000 11:15:32 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.9.3/8.9.3) with SMTP id NAA25554 for ; Sun, 3 Dec 2000 13:15:29 -0600 (CST) Reply-To: From: "Chuck Rock" To: "'Freebsd-Ipfw" Subject: IPFW Logging to syslog Date: Sun, 3 Dec 2000 13:15:39 -0600 Message-ID: <000201c05d5d$6c252810$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Does anyone know what to put in syslog.conf to put IPFW logging into it's own /var/log/ipfwlog file? I haven't found any examples anywhere. Thanks, Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Dec 3 14: 5:47 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 3 14:05:46 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailout00.sul.t-online.com (mailout00.sul.t-online.com [194.25.134.16]) by hub.freebsd.org (Postfix) with ESMTP id 36C8137B400 for ; Sun, 3 Dec 2000 14:05:45 -0800 (PST) Received: from fwd03.sul.t-online.com by mailout00.sul.t-online.com with smtp id 142hGL-0002B5-01; Sun, 03 Dec 2000 23:05:37 +0100 Received: from neutron.cichlids.com (520050424122-0001@[62.225.195.89]) by fmrl03.sul.t-online.com with esmtp id 142hG4-0LYgjoC; Sun, 3 Dec 2000 23:05:20 +0100 Received: from cichlids.cichlids.com (cichlids.cichlids.com [192.168.0.10]) by neutron.cichlids.com (Postfix) with ESMTP id 69CDBAB91; Sun, 3 Dec 2000 23:05:21 +0100 (CET) Received: by cichlids.cichlids.com (Postfix, from userid 1001) id 302E314A86; Sun, 3 Dec 2000 23:05:40 +0100 (CET) Date: Sun, 3 Dec 2000 23:05:40 +0100 To: Chuck Rock Cc: 'Freebsd-Ipfw Subject: Re: IPFW Logging to syslog Message-ID: <20001203230540.B448@cichlids.cichlids.com> References: <000201c05d5d$6c252810$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000201c05d5d$6c252810$1805010a@epconline.net>; from carock@epctech.com on Sun, Dec 03, 2000 at 01:15:39PM -0600 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. From: alex@big.endian.de (Alexander Langer) X-Sender: 520050424122-0001@t-dialin.net Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thus spake Chuck Rock (carock@epctech.com): > Does anyone know what to put in syslog.conf to put IPFW logging into it's > own /var/log/ipfwlog file? I have this: sysctl -w net.inet.ip.fw.verbose=1 (you must set this after every boot) and then, in syslogd.conf: !ipfw *.* /var/log/ipfw.today Alex -- cat: /home/alex/.sig: No such file or directory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Dec 3 17:59:58 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 3 17:59:54 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 82E9E37B401 for ; Sun, 3 Dec 2000 17:59:52 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Dec 2000 17:58:05 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB41xZE42998; Sun, 3 Dec 2000 17:59:35 -0800 (PST) (envelope-from cjc) Date: Sun, 3 Dec 2000 17:59:25 -0800 From: "Crist J . Clark" To: Chuck Rock Cc: "'Freebsd-Ipfw" Subject: Re: IPFW Logging to syslog Message-ID: <20001203175925.V99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <000201c05d5d$6c252810$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000201c05d5d$6c252810$1805010a@epconline.net>; from carock@epctech.com on Sun, Dec 03, 2000 at 01:15:39PM -0600 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 03, 2000 at 01:15:39PM -0600, Chuck Rock wrote: > Does anyone know what to put in syslog.conf to put IPFW logging into it's > own /var/log/ipfwlog file? > > I haven't found any examples anywhere. What version are you running? It matters. In 4.x, add, !ipfw *.* /var/log/ipfwlog To get just ipfw messages. But the line, security.* /var/log/security In the default syslog.conf that comes with 4.x should catch all ipfw messages too. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 6 0:33:35 2000 From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 6 00:33:34 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp1.mail.yahoo.com (smtp1.mail.yahoo.com [128.11.69.60]) by hub.freebsd.org (Postfix) with SMTP id 905F937B400 for ; Wed, 6 Dec 2000 00:33:33 -0800 (PST) Received: from c665636-a.arvada1.co.home.com (HELO athlon) (24.4.228.22) by smtp.mail.vip.suc.yahoo.com with SMTP; 5 Dec 2000 04:01:16 -0000 X-Apparently-From: From: "Matt Gustas" To: Subject: Date: Mon, 4 Dec 2000 21:06:49 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG auth ac8753d2 subscribe freebsd-ipfw mjgustas@yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 6 23:20:50 2000 From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 6 23:20:44 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 0069A37B400; Wed, 6 Dec 2000 23:20:43 -0800 (PST) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA81936; Thu, 7 Dec 2000 09:20:40 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: , Subject: IPFW & IPsec tunnel mode Date: Thu, 7 Dec 2000 09:20:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I have been setting up a VPN between two offices in same company using FreeBSD + KAME ipsec. Works OK otherwise, but I think that ipfw capabilities should be enhanced to understand more about ipsec. My setup is something like this: Office A uses network nnn.nnn.nnn.0 Office B uses network mmm.mmm.mmm.0 Both ones have FreeBSD 4.1 as firewall, office A has public address aaa.aaa.aaa.aaa and office B has public address bbb.bbb.bbb.bbb. First, I setup a IPsec policy to use tunnel mode between these networks, without using any ipfw rules (ie. ipfw pass ip from any to any). Works without any problems. Then, I limit traffice with ipfw: Office A's firewall: ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb Office B's firewall: ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa Now, ESP packets are allowed through. But of course, no services (example telnet) work, because they dont' have any ipfw pass rule that they match. OK, I added following rules to make telnet work: Office A's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from mmm.mmm.mmm.0/24 to nnn.nnn.nnn.0/24 23 setup Office B's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from nnn.nnn.nnn.0/24 to mmm.mmm.mmm.0/24 23 setup Now telnet works and it looks like all done. However, these last rules allow hosts in nnn.nnn.nnn.0 & mmm.mmm.mmm.0 to exchange telnet traffic without IPsec also, since there is no way to state in these rules that they should only match to packets coming from a specific IPsec tunnel. I were unable to sleep my mights peacefully because I realized that if someone in the internet disguises himself as nnn.nnn.nnn.0 or mmm.mmm.mm.0 host my IPsec protection can be bypassed (I also realize that not everyone is capable of doing something like this). So, I switched to using pipsecd which passes tunnel packets to tun-device and the problem was solved: I can add 'via tun0' to those last rules to make sure that they match only the packes coming from tunnel. However, pipsecd only supports fixed keys and Kame seems more like the future way to go. Would it be possible to enhance ipfw & kame to work together better in same way (like having some kind of name for each tunnel and allowing ipfw rule to use them in similar way as 'via' is used with interfaces) ? Ari S. Ari S. -- Ari Suutari Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Dec 7 15:46:44 2000 From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 7 15:46:42 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 27B0D37B400 for ; Thu, 7 Dec 2000 15:46:38 -0800 (PST) Received: from null ([206.249.222.250]) by new-dns.whc.net (8.11.0/8.10.1/kbp) with SMTP id for ; Thu, 7 Dec 2000 16:45:04 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: I have been very naughty Date: Thu, 7 Dec 2000 16:43:22 -0700 Message-ID: <000401c060a7$7cbdeac0$fadef9ce@copyco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG could someone email or show me where to find a pristine rc.firewall? I have been trying to make some new rules and well I forgot to do a copy (bad bad bad Carlos). I have a bunch of problems so I want to start over. Another thing, the natd call in the simple version, the divert call is not kosher. Running 4.1.1.1 if I can pull it off I will post my current rc.firewall for comments and more than likely finger pointing with laughter. But that is cool. How else will I learn? ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 8 9:10:47 2000 From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 8 09:10:44 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 77E7837B400 for ; Fri, 8 Dec 2000 09:10:43 -0800 (PST) Received: from null ([206.249.222.250]) by new-dns.whc.net (8.11.0/8.10.1/kbp) with SMTP id for ; Fri, 8 Dec 2000 10:09:50 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: well now that I am a little better at this Date: Fri, 8 Dec 2000 10:08:17 -0700 Message-ID: <000101c06139$75bb1940$fadef9ce@copyco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a question : case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac is in my rc.firewall but when I reload them $bash /etc/rc.firewall & I get the following : ip_fw_ctl: invalid command ? ??? checking the ipfw man page divert is not a valid command, but its in the default rc.firewall. what gives? ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 8 9:25: 6 2000 From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 8 09:25:03 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from tank.ecad.org (unknown [194.74.200.245]) by hub.freebsd.org (Postfix) with ESMTP id 5119A37B400 for ; Fri, 8 Dec 2000 09:25:02 -0800 (PST) Received: by tank.ecad.org (Postfix, from userid 500) id 11A1A18261; Fri, 8 Dec 2000 17:25:53 +0000 (GMT) Date: Fri, 8 Dec 2000 17:25:52 +0000 From: Jev To: Carlos Andrade Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: well now that I am a little better at this Message-ID: <20001208172552.C1404@ecad.org> References: <000101c06139$75bb1940$fadef9ce@copyco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <000101c06139$75bb1940$fadef9ce@copyco.com>; from carlos@rjstech.com on Fri, Dec 08, 2000 at 10:08:17AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I ran into this only yesterday, check if you have the following compiled in your kernel options IPDIVERT this is documented in natd(8) Regards, -Emil J.V. Björsell On Fri, Dec 08, 2000 at 10:08:17AM -0700, Carlos Andrade wrote: > I have a question : > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} > fi > ;; > esac > > is in my rc.firewall > > but when I reload them $bash /etc/rc.firewall & > > I get the following : > ip_fw_ctl: invalid command > ? ??? checking the ipfw man page divert is not a valid command, but its in > the default rc.firewall. > > what gives? > ---- > Carlos A. Andrade > IS Manager > RJS Technologies > 915.845.5228 ext 13 915.845.2119 fax > carlos@rjstech.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- http://www.ecad.org/~jev/jev.gpg Key fingerprint = D058 2F50 5202 4FC2 7B71 3996 369D 12C2 0F23 67D2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message